Defence Evasion (TA0005)

Sub-technique: T1070.001 - Clear Windows Event Logs

Objective: Detect attempts to clear event logs to evade detection.

Detect Security Log Cleared Events

DeviceEvents
| where ActionType == "SecurityLogCleared"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify when security logs are cleared.

Detect System Log Cleared Events

DeviceEvents
| where ActionType == "SystemLogCleared"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Monitor for system log clearing.

Detect Application Log Cleared Events

DeviceEvents
| where ActionType == "ApplicationLogCleared"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify when application logs are cleared.

Monitor for Log Deletion Commands

DeviceProcessEvents
| where ProcessCommandLine has "wevtutil cl"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect usage of log clearing commands.

Identify Unauthorized Log Clearing Attempts

DeviceProcessEvents
| where ProcessCommandLine has_any ("clear", "delete") and InitiatingProcessAccountName != "Administrator"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect log clearing attempts by non-administrative users.

Monitor for Event Log Service Restarts

DeviceServiceEvents 
| where ServiceName == "EventLog" and ActionType == "StartService" 
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify restarts of the Event Log service.

Detect Cleared Logs via PowerShell

DeviceProcessEvents
| where ProcessCommandLine has "Clear-EventLog"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessFolderPath

Purpose: Monitor PowerShell commands used to clear event logs.

Suspicious Access to Event Log Files

DeviceFileEvents
| where FolderPath has "System32\\winevt\\Logs"
| summarize event_count = count() by FileName, DeviceName
| where event_count > 1

Purpose: Identify suspicious access to log files.

Detect Log Clearing via Script

DeviceProcessEvents
| where ProcessCommandLine has_any (".bat", ".cmd") and ProcessCommandLine has "wevtutil"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect scripts used to clear event logs.

Monitor Changes to Audit Policy

DeviceRegistryEvents
| where RegistryKey has "HKLM\\System\\CurrentControlSet\\Services\\EventLog\\Security"
| project Timestamp, DeviceName, RegistryKey, ActionType

Purpose: Monitor changes to audit policies that could impact logging.

PreviousPrivilege Escalation (TA0004)NextCredential Access (TA0006)

Last updated 3 months ago

DeviceEvents | where ActionType == "SecurityLogCleared" | project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

DeviceEvents | where ActionType == "SystemLogCleared" | project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

DeviceEvents | where ActionType == "ApplicationLogCleared" | project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

DeviceProcessEvents | where ProcessCommandLine has "wevtutil cl" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

DeviceProcessEvents | where ProcessCommandLine has_any ("clear", "delete") and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

DeviceServiceEvents | where ServiceName == "EventLog" and ActionType == "StartService" | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

DeviceProcessEvents | where ProcessCommandLine has "Clear-EventLog" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessFolderPath

DeviceProcessEvents | where ProcessCommandLine has_any (".bat", ".cmd") and ProcessCommandLine has "wevtutil" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName